1 CLAIMS 

2 Having thus described our invention, what we claim as new and desire to secure by Letters 

3 Patent is as follows: 

4 1. A method comprising: 

5 employing a computer for: 

6 obtaining a collection of code; 

7 providing a program graph representing said collection of code; 

8 identifying any authorization resources of said collection of code; 
0 locating any bounded path within said program graph; and 

H) associating said any authorization resource with said any bounded path. 

if] 

£Q 2. A method as recited in claim 1, wherein said collection of code includes codes obtained from a 

group of codes including basic blocks, class methods, classes, collections of classes or any 

13 combination of these. 

jM 3. A method as recited in claim 1, wherein the step of providing includes constructing said 

;TS program graph through static analysis techniques. 

16 4. A method as recited in claim 3, wherein the step of constructing includes employing object 

17 code. 

18 5. A method as recited in claim 1 , wherein the step of identifying includes finding at least one 

1 9 authorization point in said program graph. 
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1 6. A method as recited in claim 5, wherein the step of finding includes finding a Java 

2 authorization point. 

3 7. A method as recited in claim 6, wherein the step of find a Java authorization point includes 

4 finding a AccessController.checkPermission node in said program graph, and finding a 

5 java. security. Permission object passed as an argument to the AccessController.checkPermission 

6 method. 

7 8. A method as recited in claim 5, wherein said authorization point is an instruction invocation. 

8 9. A method as recited in claim 8, wherein said instruction invocation is used in a particular 
language for said collection of code. 

tk 10. A method as recited in claim 9, wherein said particular language is C#. 

i, iii 

M 1 L A method as recited in claim 1 , wherein the step of identifying includes employing data flow 
analysis. 

If! 

IB 12. A method as recited in claim 11, wherein the step of employing includes generating a data 

iS- flow from said program graph. 

15 13. A method as recited in claim 1, wherein the step of identifying any bounded path includes 

16 locating a set of start nodes in said program graph, and locating a stop node in said program 

1 7 graph; and said bounded path includes all nodes within the graph bound by said start nodes and 

18 said stop node. 

19 14. A method as recited in claim 1, wherein the step of associating includes associating and 

20 aggregating said any authorization resource with said collection of code. 
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1 

2 15. An apparatus comprising: 

3 computing means having: 

4 means for obtaining a collection of code; 

5 means for providing a program graph representing said collection of code; 

6 means for identifying any authorization resources of said collection of code; 

7 means for locating any bounded path within said program graph; and 

8 means for associating said any authorization resource with said any bounded path. 

9 16. An apparatus as recited in claim 15, wherein said collection of code includes codes obtained 
ift from a group of codes including basic blocks, class methods, classes, collections of classes or 

i;l any combination of these. 

|| 17. An apparatus as recited in claim 15, wherein the means for providing includes means for 
constructing said program graph through static analysis techniques. 

14 18. An apparatus as recited in claim 17, wherein the means for constructing includes employing 

l| object code. 

16 19 . An apparatus as recited in claim 15, wherein the means for identifying includes means for 

17 finding at least one authorization point in said program graph. 

18 20. An apparatus as recited in claim 19, wherein the means for finding includes finding a Java 

1 9 authorization point. 

20 21 . An apparatus as recited in claim 20, wherein the means for find a Java authorization point 

21 includes finding a AccessController.checkPermission node in said program graph, and finding a 
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1 java.security.Permission object passed as an argument to the AccessController.checkPermission 

2 method. 

3 22. An apparatus as recited in claim 19, wherein said authorization point is an instruction 

4 invocation. 

5 23. An apparatus as recited in claim 22, wherein said instruction invocation is used in a particular 

6 language for said collection of code. 

7 24. An apparatus as recited in claim 23, wherein said particular language is C#. 

25. An apparatus as recited in claim 15, wherein the means for identifying includes employing 

I % data flow analysis. 

#f) 26. An apparatus as recited in claim 25, wherein the means for employing includes generating a 

W data flow from said program graph. 

|| 27. An apparatus as recited in claim 1 5, wherein the means for identifying any bounded path 

|| includes locating a set of start nodes in said program graph, and locating a stop node in said 

14 program graph; and said bounded path includes all nodes within the graph bound by said start 

1 5 nodes and said stop node. 

16 28. An apparatus as recited in claim 15, wherein the means for associating includes associating 

1 7 and aggregating said any authorization resource with said collection of code. 

18 29. A method comprising: 

1 9 employing a computer including the steps of: 



DOCKET NUMBER: YOR92001 0421 US1 



1 obtaining a collection of code; 

2 providing a program graph representing said collection of code; and 

3 identifying a complete set of authorization resources of said collection of code. 

4 30. A method as recited in claim 29, if no resource is identified in said step of identifying, 

5 further comprising providing an indication that authorization testing is not necessary. 

6 3 1 . A method as recited in claim 29, further comprising: 

7 identifying any bounded path within said program graph; and 

8 associating any authorization resource identified in the step of identifying with said any 

9 bounded path. 

32. An apparatus comprising: 

J3 a computer having access to a collection of code, the computer including: 

| J an authorization resource identifier to identify any authorization resources within the 

13 collection of code; 

|i| a bounded path locator to locate any bounded path within a program graph of said 

IS collection of code; and 

pi 

lf> an associator to associate said any authorization resource with said any bounded path. 

17 33. An apparatus as recited in claim 32, wherein said collection of code includes codes obtained 

1 8 from a group of codes including basic blocks, class methods, classes, collections of classes or 

1 9 any combination of these. 

20 34. An apparatus as recited in claim 32, further comprising a program graph constructor to 

21 construct said program graph through static analysis techniques. 
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1 35. An apparatus as recited in claim 32, wherein the program graph constructor uses object code 

2 of said collection of code. 

3 36. An apparatus as recited in claim 32, wherein the authorization resource identifier finds at 

4 least one authorization point in said program graph. 

5 37. An apparatus as recited in claim 36, wherein at least one authorization point of said at least 

6 one authorization point is a Java authorization point. 

7 38. An apparatus as recited in claim 37, wherein the Java authorization point includes finding a 

8 AccessController.checkPermission node in said program graph, and finding a 

rf java.security.Permission object passed as an argument to the AccessController.checkPermission 

W method. 

£J 39. An apparatus as recited in claim 36, wherein said authorization point is an instruction 

jf| invocation. 

US 40. An apparatus as recited in claim 39, wherein said instruction invocation is used in a particular 

jL4 language for said collection of code. 

15 4 1 . An apparatus as recited in claim 40, wherein said particular language is C#. 

16 42. An apparatus as recited in claim 32, wherein the authorization resource identifier employs 

17 data flow analysis. 

18 43. An apparatus as recited in claim 42, wherein the data flow analysis is generated from said 

19 program graph. 
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1 44. An apparatus comprising: 

2 a computing module having access to a collection of code, the computer module including: 

3 an authorization resource identifier to completely identify any authorization resources 

4 within a collection of code; and 

5 a bounded path locator to locate any bounded path within a program graph of said 

6 collection of code. 

7 45. An apparatus as recited in claim 44, wherein the authorization resource identifier provides an 

8 indication that authorization testing is not necessary if no resource is identified by said 

9 authorization resource identifier. 

!$) 46. An apparatus as recited in claim 44, further comprising an associator to associate said any 

y authorization resource with said any bounded path. 

|J 47. An apparatus comprising: 

15 a computer including: 

14 means for obtaining a collection of code; 

f5 means for providing a program graph representing said collection of code; and 

1 6 means for identifying a complete set of authorization resources of said collection of code. 

17 48. An apparatus as recited in claim 47, further comprising means for indicating if authorization 

1 8 testing is necessary. 

19 49. An apparatus as recited in claim 47, further comprising: 

20 means for identifying any bounded path within said program graph; and 
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1 means for associating any authorization resource identified in the step of identifying with 

2 said any bounded path. 

3 50. A method comprising: 

4 employing a computer for: 

5 constructing a program graph from a collection of code using static analysis techniques; 

6 performing a data flow analysis using static analysis techniques; 

7 searching said program graph for any useful resource for executing said collection of 

8 code; 

9 identifying any bounded path within said program graph over which said useful resource 
W is beneficial; and 

f| associating said useful resource with said collection of code. 

11 51. The method as recited in claim 50, wherein the step of constructing includes employing 

fj source code of said collection of code. 

Ift 52. A method as recited in claim 50, wherein the step of constructing includes building an 

P§ invocation graph of said collection of code to form said program graph. 

16 53. A method as recited in claim 50, wherein the step of constructing a program graph includes 

1 7 constructing a call graph of said collection of code to form said program graph. 

18 54. A method as recited in claim 50, wherein said step of constructing includes using 

1 9 context- sensitivity. 

20 55. A method as recited in claim 54, wherein said step of using context sensitivity includes using 

2 1 type information for any method receiver and/or any parameter. 
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1 56. A method as recited in claim 55, wherein the step of using type information includes using 

2 class and memory allocation site information. 

3 57. A method as recited in claim 56, wherein the step of using type information includes using 

4 per instance information. 

5 58. A method as recited in claim 57, wherein the step of using instance information includes 

6 associating instance information with a node or edge in said program graph. 

7 59. A method as recited in claim 50, wherein said collection of code includes codes constructed 
|3> from a group of codes including basic blocks, class methods, classes, collections of classes or 

:SS. 

f J any combination of these. 

ID 60. A method as recited in claim 50, wherein the step of searching includes locating a node or 

ili edge in said program graph that represents a location where said useful resource would be 

12 beneficial. 

iJL3 61 . A method as recited in claim 60, wherein said useful resource is a resource identifier. 

14 62. A method as recited in claim 60, wherein said location is an authorization test. 

1 5 63. A method as recited in claim 50, wherein said program graph represents an object oriented 

16 program. 

17 64. A method as recited in claim 50, wherein said program graph and said data flow analysis are 

1 8 constructed from Java object code. 
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1 65. A method as recited in claim 61 , wherein said resource identifier includes at least one Java 

2 java.security .Permission. 

3 66. A method as recited in claim 62, wherein said authorization test is a call to any 

4 java.security.AccessControllerxheckPermission method. 

5 67. A method as recited in claim 62, wherein said location represents a call to any authorization 

6 testing method in any instance of java.lang.SecurityManager and/or one of its subclasses. 

7 68. A method as recited in claim 55 , wherein said node has a parameter which said type 

8 information is a Java java.security.Permission. 

69. A method as recited in claim 68, wherein the step of identifying includes locating the 

l|) constructor for said Java java.security.Permission allocation site and using said data flow 

O analysis in identifying any value passed by any parameter to said constructor, wherein the 

combination of the Java java.security.Permission and a value for any parameter is the used 

13 Permission. 

$d 70. A method as recited in claim 50, wherein the step of identifying any bounded path includes 

Jf 5 locating a set of start nodes in said program graph, and locating a stop node in said program 

1 6 graph; and said bounded path includes all nodes within the graph bound by said start nodes and 

1 7 said stop node. 

18 71 . A method as recited in claim 50, wherein the step of associating includes mapping a subset of 

1 9 said collection of code to said useful resource. 

20 72. A method as recited in claim 71, wherein the subset of said collection of code includes nodes 

2 1 in said bounded path. 
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1 73. A method as recited in claim 72, further comprising employing a privileged Java code 

2 wherein said stop node represents the method java.security. AccessController.checkPermission(); 

3 and 

4 employing said start nodes are any of root nodes in said program graph or a node 

5 representing the method java. security. AccessController.doPrivileged(). 

6 74. A method as recited in claim 73, further comprising connecting a used Permission with said 

7 privileged Java code. 

8 75. A method as recited in claim 74, further comprising connecting a used Permission with any 
■if node in said program graph prior to said java.security.AccessController.doPrivileged() node. 

W) 76. A method as recited in claim 74, wherein said step of associating includes connecting a used 

$1 Permission for each java. security. AccessController.checkPermission() in said program graph. 

12 77. A method as recited in claim 76, wherein said step of associating includes connecting said 

if 5 used Permission from each node in said program graph to each method associated with said 

s r, 

|4 program graph. 

n » 

15 78. A method as recited in claim 77, wherein said step of associating includes connecting said 

16 used Permission from each method in said program graph to each class in said program graph. 

1 7 79. A method as recited in claim 78, wherein said step of associating includes connecting said 

1 8 used Permission from each class in said program graph to collection of classes. 

19 80. A method as recited in claim 79, wherein said step of associating includes connecting said 

20 used Permission is associated from each class in said program graph to collection of classes. 
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1 8 1 . A method as recited in claim 50, further comprising employing said useful resource in 

2 executing said collection of code. 

3 82. A method comprising: 

4 statically detecting useful resources for a collection of code written in a computer programming 

5 language, by including the steps of: 

6 calculating if any code of said collection of code is part of a program graph; 



f f identifying any useful resource for said collection of code; 

i| determining any bounded path of nodes within said program graph which 

glf constrain said useful resources of said collection of code; and 

10 associating said any useful resource with said collection of code within said 

n j 

pi bounded path of nodes in said program graph. 

ft 83. A method as recited in claim 82, wherein the step of calculating includes using an 

1 3 invocation graph having a set of root nodes for said program graph. 

14 84. A method as recited in claim 82 5 wherein the step of calculating includes using a call 

1 5 graph having a set of root nodes for said program graph. 

16 85. A method as recited in claim 83, further comprising determining whether a basic block, 

17 method, class is represented as a node in said invocation graph. 
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1 86. A method as recited in claim 84, further comprising determining whether a basic block, 

2 method, class is represented as a node in said call graph. 

3 87. A method as recited in claim 83, further comprising identifying a node in said invocation 

4 graph that identifies said useful resources, wherein said useful resources is one or more 

5 resources. 

6 88. A method as recited in claim 84, further comprising a step identifying a node in said 

7 invocation graph that identifies said useful resources, wherein said useful resources is one or 

8 more resources. 

£!l 89. A method as recited in claim 83, wherein nodes in said bounded path of nodes are all 

$9 nodes in the graph that are bounded between start nodes and a stop node. 

5,5 i 

Q 90. A method as recited in claim 84, wherein nodes in said bounded path of nodes are all 

5 „ if 

|2 nodes in the graph that are bounded between a set of start nodes and a stop node. 

IB 91. A method as recited in claim 90, wherein all root nodes in said invocation graph are 

L4 members of the start nodes. 

15 92. An article of manufacture comprising a computer usable medium having computer readable 

16 program code means embodied therein for causing association, the computer readable program 

17 code means in said article of manufacture comprising computer readable program code means for 

1 8 causing a computer to effect the steps of claim 1 . 

19 93. An article of manufacture comprising a computer usable medium having computer readable 

20 program code means embodied therein for causing identification, the computer readable program 
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1 code means in said article of manufacture comprising computer readable program code means for 

2 causing a computer to effect the steps of claim 29. 

3 94. An article of manufacture comprising a computer usable medium having computer readable 

4 program code means embodied therein for causing association, the computer readable program 

5 code means in said article of manufacture comprising computer readable program code means for 

6 causing a computer to effect the steps of claim 50. 

7 95. An article of manufacture comprising a computer usable medium having computer readable 

8 program code means embodied therein for causing statistical detection, the computer readable 

9 program code means in said article of manufacture comprising computer readable program code 

|# means for causing a computer to effect the steps of claim 80. 

, 

t ;> r_s 

SO 

W 96. A computer program product comprising a computer usable medium having computer 

Q readable program code means embodied therein for causing association, the computer readable 

hi 

1 3 program code means in said computer program product comprising computer readable program 

14 code means for causing a computer to effect the functions of the elements in claim 15. 

Jj 97. A computer program product comprising a computer usable medium having computer 

If readable program code means embodied therein for causing association, the computer readable 

17 program code means in said computer program product comprising computer readable program 

1 8 code means for causing a computer to effect the functions of the elements in claim 32. 

19 98. A computer program product comprising a computer usable medium having computer 

20 readable program code means embodied therein for causing identification, the computer readable 

2 1 program code means in said computer program product comprising computer readable program 

22 code means for causing a computer to effect the functions of the elements in claim 44. 
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99. A computer program product comprising a computer usable medium having computer 
readable program code means embodied therein for causing identification, the computer readable 
program code means in said computer program product comprising computer readable program 
code means for causing a computer to effect the functions of the elements in claim 47. 

100. A program storage device readable by machine, tangibly embodying a program of 
instructions executable by the machine to perform method steps for identification, said method 
steps comprising the steps of claim 1. 
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